archive-gh-me/docker-gitlab
1
0
Fork 0
mirror of https://github.com/sameersbn/docker-gitlab.git synced 2025-12-08 17:36:24 +00:00
Code Issues Projects Releases Wiki Activity
docker-gitlab/assets/runtime/functions
Bart Joris 2ea27eef81
Add Generic OAuth2 provider (#2070) 
* Add Generic OAuth2 provider

* Add docs to test Keycloak on a local environment

* Update docs for oauth2_generic
2020-03-12 09:05:21 +01:00

1844 lines
60 KiB
Bash
Raw Blame History

#!/bin/bash
set -e
for file in /gitlab-configs /run/secrets/gitlab-secrets; do
if [[ -e "$file" ]]; then
echo "Loading $file"
source "$file"
fi
done
echo "Loading ${GITLAB_RUNTIME_DIR}/env-defaults"
source ${GITLAB_RUNTIME_DIR}/env-defaults
SYSCONF_TEMPLATES_DIR="${GITLAB_RUNTIME_DIR}/config"
USERCONF_TEMPLATES_DIR="${GITLAB_DATA_DIR}/config"
GITLAB_CONFIG="${GITLAB_INSTALL_DIR}/config/gitlab.yml"
GITLAB_DATABASE_CONFIG="${GITLAB_INSTALL_DIR}/config/database.yml"
GITLAB_UNICORN_CONFIG="${GITLAB_INSTALL_DIR}/config/unicorn.rb"
GITLAB_RELATIVE_URL_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/relative_url.rb"
GITLAB_RACK_ATTACK_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/rack_attack.rb"
GITLAB_SMTP_CONFIG="${GITLAB_INSTALL_DIR}/config/initializers/smtp_settings.rb"
GITLAB_RESQUE_CONFIG="${GITLAB_INSTALL_DIR}/config/resque.yml"
GITLAB_SECRETS_CONFIG="${GITLAB_INSTALL_DIR}/config/secrets.yml"
GITLAB_ROBOTS_CONFIG="${GITLAB_INSTALL_DIR}/public/robots.txt"
GITLAB_SHELL_CONFIG="${GITLAB_SHELL_INSTALL_DIR}/config.yml"
GITLAB_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab"
GITLAB_CI_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab_ci"
GITLAB_REGISTRY_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-registry"
GITLAB_PAGES_NGINX_CONFIG="/etc/nginx/sites-enabled/gitlab-pages"
GITLAB_GITALY_CONFIG="${GITLAB_GITALY_INSTALL_DIR}/config.toml"
# Compares two version strings `a` and `b`
# Returns
# - negative integer, if `a` is less than `b`
# - 0, if `a` and `b` are equal
# - non-negative integer, if `a` is greater than `b`
vercmp() {
expr '(' "$1" : '\([^.]*\)' ')' '-' '(' "$2" : '\([^.]*\)' ')' '|' \
'(' "$1.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
'(' "$1.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '|' \
'(' "$1.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$2.0.0.0" : '[^.]*[.][^.]*[.][^.]*[.]\([^.]*\)' ')'
}
## Execute a command as GITLAB_USER
exec_as_git() {
if [[ $(whoami) == ${GITLAB_USER} ]]; then
$@
else
sudo -HEu ${GITLAB_USER} "$@"
fi
}
## Copies configuration template to the destination as the specified USER
### Looks up for overrides in ${USERCONF_TEMPLATES_DIR} before using the defaults from ${SYSCONF_TEMPLATES_DIR}
# $1: copy-as user
# $2: source file
# $3: destination location
# $4: mode of destination
install_template() {
local OWNERSHIP=${1}
local SRC=${2}
local DEST=${3}
local MODE=${4:-0644}
if [[ -f ${USERCONF_TEMPLATES_DIR}/${SRC} ]]; then
cp ${USERCONF_TEMPLATES_DIR}/${SRC} ${DEST}
elif [[ -f ${SYSCONF_TEMPLATES_DIR}/${SRC} ]]; then
cp ${SYSCONF_TEMPLATES_DIR}/${SRC} ${DEST}
fi
chmod ${MODE} ${DEST}
chown ${OWNERSHIP} ${DEST}
}
## Replace placeholders with values
# $1: file with placeholders to replace
# $x: placeholders to replace
update_template() {
local FILE=${1?missing argument}
shift
[[ ! -f ${FILE} ]] && return 1
local VARIABLES=($@)
local USR=$(stat -c %U ${FILE})
local tmp_file=$(mktemp)
cp -a "${FILE}" ${tmp_file}
local variable
for variable in ${VARIABLES[@]}; do
# Keep the compatibilty: {{VAR}} => ${VAR}
sed -ri "s/[{]{2}$variable[}]{2}/\${$variable}/g" ${tmp_file}
done
# Replace placeholders
(
export ${VARIABLES[@]}
local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE}
)
rm -f ${tmp_file}
}
gitlab_finalize_database_parameters() {
# is a postgresql database linked?
# requires that the postgresql containers have exposed port 5432.
DB_HOST=${DB_HOST:-${POSTGRESQL_PORT_5432_TCP_ADDR}}
DB_PORT=${DB_PORT:-${POSTGRESQL_PORT_5432_TCP_PORT}}
# support for linked official postgres image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRES_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRES_PASSWORD}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_DB}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRES_USER}}
# support for linked sameersbn/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_DB_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_DB_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB_NAME}}
# support for linked orchardup/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_POSTGRESQL_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_POSTGRESQL_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_POSTGRESQL_DB}}
# support for linked paintedfox/postgresql image
DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}}
DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}}
DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}}
if [[ -z ${DB_HOST} ]]; then
echo
echo "ERROR: "
echo " Please configure the database connection."
echo " Refer http://git.io/wkYhyA for more information."
echo " Cannot continue without a database. Aborting..."
echo
return 1
fi
# set default port number if not specified
DB_PORT=${DB_PORT:-5432}
DB_ENCODING=${DB_ENCODING:-unicode}
# set default user and database
DB_USER=${DB_USER:-root}
DB_NAME=${DB_NAME:-gitlabhq_production}
}
gitlab_check_database_connection() {
prog=$(find /usr/lib/postgresql/ -name pg_isready)
prog="${prog} -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -t 1"
timeout=60
while ! ${prog} >/dev/null 2>&1
do
timeout=$(expr $timeout - 1)
if [[ $timeout -eq 0 ]]; then
echo
echo "Could not connect to database server. Aborting..."
return 1
fi
echo -n "."
sleep 1
done
echo
}
gitlab_configure_database() {
echo -n "Configuring gitlab::database"
gitlab_finalize_database_parameters
gitlab_check_database_connection
update_template ${GITLAB_DATABASE_CONFIG} \
DB_ENCODING \
DB_HOST \
DB_PORT \
DB_NAME \
DB_USER \
DB_PASS \
DB_POOL \
DB_PREPARED_STATEMENTS
}
gitlab_finalize_redis_parameters() {
# is a redis container linked?
if [[ -n ${REDISIO_PORT_6379_TCP_ADDR} ]]; then
REDIS_HOST=${REDIS_HOST:-${REDISIO_PORT_6379_TCP_ADDR}}
REDIS_PORT=${REDIS_PORT:-${REDISIO_PORT_6379_TCP_PORT}}
fi
# set default redis port if not specified
REDIS_PORT=${REDIS_PORT:-6379}
if [[ -z ${REDIS_HOST} ]]; then
echo
echo "ERROR: "
echo " Please configure the redis connection."
echo " Refer http://git.io/PMnRSw for more information."
echo " Cannot continue without a redis connection. Aborting..."
echo
return 1
fi
}
gitlab_check_redis_connection() {
timeout=60
while ! redis-cli -h ${REDIS_HOST} -p ${REDIS_PORT} -n ${REDIS_DB_NUMBER} ping >/dev/null 2>&1
do
timeout=$(expr $timeout - 1)
if [[ $timeout -eq 0 ]]; then
echo ""
echo "Could not connect to redis server. Aborting..."
return 1
fi
echo -n "."
sleep 1
done
echo
}
gitlab_configure_redis() {
echo -n "Configuring gitlab::redis"
gitlab_finalize_redis_parameters
gitlab_check_redis_connection
update_template ${GITLAB_RESQUE_CONFIG} \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
}
gitlab_configure_gitaly() {
echo "Configuring gitlab::gitaly..."
update_template ${GITLAB_GITALY_CONFIG} \
GITALY_SOCKET_PATH \
GITLAB_REPOS_DIR
update_template ${GITLAB_CONFIG} \
GITALY_CLIENT_PATH \
GITALY_TOKEN
}
gitlab_configure_monitoring() {
echo "Configuring gitlab::monitoring..."
update_template ${GITLAB_CONFIG} \
GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \
GITLAB_MONITORING_IP_WHITELIST \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ENABLED \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_ADDRESS \
GITLAB_MONITORING_SIDEKIQ_EXPORTER_PORT
}
gitlab_configure_gitlab_workhorse() {
echo "Configuring gitlab::gitlab-workhorse..."
update_template /etc/supervisor/conf.d/gitlab-workhorse.conf \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_WORKHORSE_TIMEOUT
}
gitlab_configure_unicorn() {
echo "Configuring gitlab::unicorn..."
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
update_template ${GITLAB_UNICORN_CONFIG} GITLAB_RELATIVE_URL_ROOT
else
exec_as_git sed -i "/{{GITLAB_RELATIVE_URL_ROOT}}/d" ${GITLAB_UNICORN_CONFIG}
fi
update_template ${GITLAB_UNICORN_CONFIG} \
GITLAB_INSTALL_DIR \
UNICORN_WORKERS \
UNICORN_TIMEOUT
}
gitlab_configure_relative_url() {
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
echo "Configuring gitlab::relative_url..."
update_template ${GITLAB_RELATIVE_URL_CONFIG} GITLAB_RELATIVE_URL_ROOT
fi
}
gitlab_configure_trusted_proxies() {
if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then
echo "Configuring gitlab::trusted_proxies..."
update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES
else
exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_timezone() {
echo "Configuring gitlab::timezone..."
update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE
}
gitlab_configure_mail_delivery() {
if [[ ${SMTP_ENABLED} == true ]]; then
echo "Configuring gitlab::smtp_settings..."
if [[ -z "${SMTP_USER}" ]]; then
exec_as_git sed -i \
-e '/{{SMTP_USER}}/d' \
-e '/{{SMTP_PASS}}/d' \
${GITLAB_SMTP_CONFIG}
else
if [[ -z "${SMTP_PASS}" ]]; then
exec_as_git sed -i '/{{SMTP_PASS}}/d' ${GITLAB_SMTP_CONFIG}
fi
fi
update_template ${GITLAB_SMTP_CONFIG} \
SMTP_USER \
SMTP_PASS \
SMTP_HOST \
SMTP_PORT \
SMTP_DOMAIN \
SMTP_STARTTLS \
SMTP_TLS \
SMTP_OPENSSL_VERIFY_MODE
case ${SMTP_AUTHENTICATION} in
"") exec_as_git sed -i "/{{SMTP_AUTHENTICATION}}/d" ${GITLAB_SMTP_CONFIG} ;;
*) update_template ${GITLAB_SMTP_CONFIG} SMTP_AUTHENTICATION ;;
esac
if [[ ${SMTP_CA_ENABLED} == true ]]; then
if [[ -d ${SMTP_CA_PATH} ]]; then
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_PATH
fi
if [[ -f ${SMTP_CA_FILE} ]]; then
update_template ${GITLAB_SMTP_CONFIG} SMTP_CA_FILE
fi
else
exec_as_git sed -i \
-e "/{{SMTP_CA_PATH}}/d" \
-e "/{{SMTP_CA_FILE}}/d" \
${GITLAB_SMTP_CONFIG}
fi
fi
update_template ${GITLAB_CONFIG} \
GITLAB_EMAIL_ENABLED \
GITLAB_EMAIL \
GITLAB_EMAIL_DISPLAY_NAME \
GITLAB_EMAIL_REPLY_TO \
GITLAB_EMAIL_SUBJECT_SUFFIX
if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then
exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG}
update_template ${GITLAB_CONFIG} \
GITLAB_EMAIL_SMIME_ENABLE \
GITLAB_EMAIL_SMIME_KEY_FILE \
GITLAB_EMAIL_SMIME_CERT_FILE
else
exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_mailroom() {
if [[ ${IMAP_ENABLED} == true ]]; then
echo "Configuring gitlab::incoming_email..."
if [[ -z "${IMAP_USER}" ]]; then
exec_as_git sed -i \
-e '/{{IMAP_USER}}/d' \
-e '/{{IMAP_PASS}}/d' \
${GITLAB_CONFIG}
else
if [[ -z "${IMAP_PASS}" ]]; then
exec_as_git sed -i '/{{IMAP_PASS}}/d' ${GITLAB_CONFIG}
fi
fi
else
exec_as_git sed -i \
-e "/{{IMAP_USER}}/d" \
-e "/{{IMAP_PASS}}/d" \
-e "/{{IMAP_HOST}}/d" \
-e "/{{IMAP_PORT}}/d" \
-e "/{{IMAP_SSL}}/d" \
-e "/{{IMAP_STARTTLS}}/d" \
-e "/{{IMAP_MAILBOX}}/d" \
-e "/{{IMAP_TIMEOUT}}/d" \
${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_INCOMING_EMAIL_ADDRESS \
GITLAB_INCOMING_EMAIL_ENABLED \
IMAP_USER \
IMAP_PASS \
IMAP_HOST \
IMAP_PORT \
IMAP_SSL \
IMAP_STARTTLS \
IMAP_MAILBOX \
IMAP_TIMEOUT
# enable/disable startup of mailroom
echo "mail_room_enabled=${GITLAB_INCOMING_EMAIL_ENABLED}" >> /etc/default/gitlab
update_template /etc/supervisor/conf.d/mail_room.conf GITLAB_INCOMING_EMAIL_ENABLED
}
gitlab_configure_ldap() {
echo "Configuring gitlab::ldap..."
update_template ${GITLAB_CONFIG} \
LDAP_ENABLED \
LDAP_HOST \
LDAP_PORT \
LDAP_UID \
LDAP_METHOD \
LDAP_VERIFY_SSL \
LDAP_CA_FILE \
LDAP_SSL_VERSION \
LDAP_BIND_DN \
LDAP_PASS \
LDAP_TIMEOUT \
LDAP_ACTIVE_DIRECTORY \
LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN \
LDAP_BLOCK_AUTO_CREATED_USERS \
LDAP_BASE \
LDAP_USER_FILTER \
LDAP_LOWERCASE_USERNAMES \
LDAP_USER_ATTRIBUTE_USERNAME \
LDAP_USER_ATTRIBUTE_MAIL \
LDAP_USER_ATTRIBUTE_NAME \
LDAP_USER_ATTRIBUTE_FIRSTNAME \
LDAP_USER_ATTRIBUTE_LASTNAME \
LDAP_LABEL
}
gitlab_configure_oauth_cas3() {
if [[ -n ${OAUTH_CAS3_SERVER} ]]; then
echo "Configuring gitlab::oauth::cas3..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_CAS3_LABEL \
OAUTH_CAS3_SERVER \
OAUTH_CAS3_DISABLE_SSL_VERIFICATION \
OAUTH_CAS3_LOGIN_URL \
OAUTH_CAS3_VALIDATE_URL \
OAUTH_CAS3_LOGOUT_URL
else
exec_as_git sed -i "/name: 'cas3'/,/{{OAUTH_CAS3_LOGOUT_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_google() {
if [[ -n ${OAUTH_GOOGLE_API_KEY} && -n ${OAUTH_GOOGLE_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::google..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
if [[ -n ${OAUTH_GOOGLE_RESTRICT_DOMAIN} ]]; then
update_template ${GITLAB_CONFIG} \
OAUTH_GOOGLE_API_KEY \
OAUTH_GOOGLE_APP_SECRET \
OAUTH_GOOGLE_RESTRICT_DOMAIN \
OAUTH_GOOGLE_APPROVAL_PROMPT
else
exec_as_git sed -i "/ hd\: \[{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}\]/d" ${GITLAB_CONFIG}
exec_as_git sed -i "s/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}',/approval_prompt: '{{OAUTH_GOOGLE_APPROVAL_PROMPT}}' } }/" ${GITLAB_CONFIG}
update_template ${GITLAB_CONFIG} \
OAUTH_GOOGLE_API_KEY \
OAUTH_GOOGLE_APP_SECRET \
OAUTH_GOOGLE_APPROVAL_PROMPT
fi
else
exec_as_git sed -i "/name: 'google_oauth2'/,/{{OAUTH_GOOGLE_RESTRICT_DOMAIN}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_facebook() {
if [[ -n ${OAUTH_FACEBOOK_API_KEY} && -n ${OAUTH_FACEBOOK_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::facebook..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_FACEBOOK_API_KEY \
OAUTH_FACEBOOK_APP_SECRET
else
exec_as_git sed -i "/name: 'facebook'/,/{{OAUTH_FACEBOOK_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_twitter() {
if [[ -n ${OAUTH_TWITTER_API_KEY} && -n ${OAUTH_TWITTER_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::twitter..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_TWITTER_API_KEY \
OAUTH_TWITTER_APP_SECRET
else
exec_as_git sed -i "/name: 'twitter'/,/{{OAUTH_TWITTER_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_authentiq() {
if [[ -n ${OAUTH_AUTHENTIQ_CLIENT_ID} && -n ${OAUTH_AUTHENTIQ_CLIENT_SECRET} ]]; then
echo "Configuring gitlab::oauth::authentiq..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AUTHENTIQ_CLIENT_ID \
OAUTH_AUTHENTIQ_CLIENT_SECRET \
OAUTH_AUTHENTIQ_SCOPE \
OAUTH_AUTHENTIQ_REDIRECT_URI
else
exec_as_git sed -i "/name: 'authentiq'/,/{{OAUTH_AUTHENTIQ_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_github() {
if [[ -n ${OAUTH_GITHUB_API_KEY} && -n ${OAUTH_GITHUB_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::github..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_GITHUB_API_KEY \
OAUTH_GITHUB_APP_SECRET \
OAUTH_GITHUB_URL \
OAUTH_GITHUB_VERIFY_SSL \
OAUTH_GITHUB_SCOPE
else
exec_as_git sed -i "/name: 'github'/,/{{OAUTH_GITHUB_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_gitlab() {
if [[ -n ${OAUTH_GITLAB_API_KEY} && -n ${OAUTH_GITLAB_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::gitlab..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_GITLAB_API_KEY \
OAUTH_GITLAB_APP_SECRET \
OAUTH_GITLAB_SCOPE
else
exec_as_git sed -i "/name: 'gitlab'/,/{{OAUTH_GITLAB_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_bitbucket() {
if [[ -n ${OAUTH_BITBUCKET_API_KEY} && -n ${OAUTH_BITBUCKET_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::bitbucket..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_BITBUCKET_API_KEY \
OAUTH_BITBUCKET_APP_SECRET
else
exec_as_git sed -i "/name: 'bitbucket'/,/{{OAUTH_BITBUCKET_APP_SECRET}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_saml_attribute_statements() {
if [[ -n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL} && \
-n ${OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME} ]]; then
echo "Configuring gitlab::oauth::saml::attribute_statements..."
update_template ${GITLAB_CONFIG} \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_NAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_FIRST_NAME \
OAUTH_SAML_ATTRIBUTE_STATEMENTS_LAST_NAME
# Remove undefined optional attributes
exec_as_git sed -i "/email: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/name: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/username: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/first_name: \\[''\\],/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/last_name: \\[''\\],/d" ${GITLAB_CONFIG}
else
exec_as_git sed -i "/attribute_statements:/,/{{OAUTH_SAML_ATTRIBUTE_STATEMENTS_EMAIL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_saml() {
if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
-n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
-n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \
-n ${OAUTH_SAML_ISSUER} && \
-n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then
echo "Configuring gitlab::oauth::saml..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_SAML_LABEL \
OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL \
OAUTH_SAML_IDP_CERT_FINGERPRINT \
OAUTH_SAML_IDP_SSO_TARGET_URL \
OAUTH_SAML_ISSUER \
OAUTH_SAML_NAME_IDENTIFIER_FORMAT \
OAUTH_SAML_GROUPS_ATTRIBUTE \
OAUTH_SAML_EXTERNAL_GROUPS
exec_as_git sed -i "/groups_attribute: '',/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/external_groups: \\[\\],/d" ${GITLAB_CONFIG}
gitlab_configure_oauth_saml_attribute_statements
else
exec_as_git sed -i "/name: 'saml'/,/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth2_generic() {
if [[ -n ${OAUTH2_GENERIC_APP_ID} && \
-n ${OAUTH2_GENERIC_APP_SECRET} ]]; then
echo "Configuring gitlab::oauth::generic..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH2_GENERIC_APP_ID \
OAUTH2_GENERIC_APP_SECRET \
OAUTH2_GENERIC_CLIENT_SITE \
OAUTH2_GENERIC_CLIENT_USER_INFO_URL \
OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \
OAUTH2_GENERIC_CLIENT_TOKEN_URL \
OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \
OAUTH2_GENERIC_ID_PATH \
OAUTH2_GENERIC_USER_UID \
OAUTH2_GENERIC_USER_NAME \
OAUTH2_GENERIC_USER_EMAIL \
OAUTH2_GENERIC_NAME
fi
}
gitlab_configure_oauth_crowd() {
if [[ -n ${OAUTH_CROWD_SERVER_URL} && \
-n ${OAUTH_CROWD_APP_NAME} && \
-n ${OAUTH_CROWD_APP_PASSWORD} ]]; then
echo "Configuring gitlab::oauth::crowd..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_CROWD_SERVER_URL \
OAUTH_CROWD_APP_NAME \
OAUTH_CROWD_APP_PASSWORD
else
exec_as_git sed -i "/name: 'crowd'/,/{{OAUTH_CROWD_APP_PASSWORD}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_auth0() {
if [[ -n ${OAUTH_AUTH0_CLIENT_ID} && \
-n ${OAUTH_AUTH0_CLIENT_SECRET} && \
-n ${OAUTH_AUTH0_SCOPE} && \
-n ${OAUTH_AUTH0_DOMAIN} ]]; then
echo "Configuring gitlab::oauth::auth0..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AUTH0_CLIENT_ID \
OAUTH_AUTH0_CLIENT_SECRET \
OAUTH_AUTH0_DOMAIN \
OAUTH_AUTH0_SCOPE
else
exec_as_git sed -i "/name: 'auth0'/,/{{OAUTH_AUTH0_SCOPE}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth_azure() {
if [[ -n ${OAUTH_AZURE_API_KEY} && \
-n ${OAUTH_AZURE_API_SECRET} && \
-n ${OAUTH_AZURE_TENANT_ID} ]]; then
echo "Configuring gitlab::oauth::azure..."
OAUTH_ENABLED=${OAUTH_ENABLED:-true}
update_template ${GITLAB_CONFIG} \
OAUTH_AZURE_API_KEY \
OAUTH_AZURE_API_SECRET \
OAUTH_AZURE_TENANT_ID
else
exec_as_git sed -i "/name: 'azure_oauth2'/,/{{OAUTH_AZURE_TENANT_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_oauth() {
echo "Configuring gitlab::oauth..."
gitlab_configure_oauth_cas3
gitlab_configure_oauth_google
gitlab_configure_oauth_facebook
gitlab_configure_oauth_twitter
gitlab_configure_oauth_authentiq
gitlab_configure_oauth_github
gitlab_configure_oauth_gitlab
gitlab_configure_oauth_bitbucket
gitlab_configure_oauth_saml
gitlab_configure_oauth2_generic
gitlab_configure_oauth_crowd
gitlab_configure_oauth_auth0
gitlab_configure_oauth_azure
OAUTH_ENABLED=${OAUTH_ENABLED:-false}
update_template ${GITLAB_CONFIG} \
OAUTH_ENABLED \
OAUTH_ALLOW_SSO \
OAUTH_BLOCK_AUTO_CREATED_USERS \
OAUTH_AUTO_LINK_LDAP_USER \
OAUTH_AUTO_LINK_SAML_USER \
OAUTH_EXTERNAL_PROVIDERS
case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|oauth2_generic)
update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
;;
*)
exec_as_git sed -i "/{{OAUTH_AUTO_SIGN_IN_WITH_PROVIDER}}/d" ${GITLAB_CONFIG}
;;
esac
}
gitlab_configure_secrets() {
echo "Configuring gitlab::secrets..."
if [[ -z $GITLAB_SECRETS_DB_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_DB_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
if [[ -z $GITLAB_SECRETS_SECRET_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_SECRET_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
if [[ -z $GITLAB_SECRETS_OTP_KEY_BASE ]]; then
echo "ERROR: "
echo " Please configure the GITLAB_SECRETS_OTP_KEY_BASE parameter."
echo " Cannot continue. Aborting..."
return 1
fi
update_template ${GITLAB_SECRETS_CONFIG} \
GITLAB_SECRETS_DB_KEY_BASE \
GITLAB_SECRETS_SECRET_KEY_BASE \
GITLAB_SECRETS_OTP_KEY_BASE
local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
if [[ ! -f "${shell_secret}" ]]; then
exec_as_git openssl rand -hex -out "${shell_secret}" 16
chmod 600 "${shell_secret}"
fi
local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret"
if [[ ! -f "${workhorse_secret}" ]]; then
exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32
chmod 600 "${workhorse_secret}"
fi
}
gitlab_configure_sidekiq() {
echo "Configuring gitlab::sidekiq..."
# configure gitlab sidekiq log format
update_template ${GITLAB_CONFIG} \
GITLAB_SIDEKIQ_LOG_FORMAT
# configure sidekiq
update_template /etc/supervisor/conf.d/sidekiq.conf \
SIDEKIQ_CONCURRENCY \
SIDEKIQ_SHUTDOWN_TIMEOUT
# enable SidekiqMemoryKiller
## The MemoryKiller is enabled by gitlab if the `SIDEKIQ_MEMORY_KILLER_MAX_RSS` is
## defined in the programs environment and has a non-zero value.
##
## Simply exporting the variable makes it available in the programs environment and
## therefore should enable the MemoryKiller.
##
## Every other MemoryKiller option specified in the docker env will automatically
## be exported, so why bother
export SIDEKIQ_MEMORY_KILLER_MAX_RSS
}
gitlab_configure_backups_schedule() {
case ${GITLAB_BACKUP_SCHEDULE} in
daily|weekly|monthly)
if ! crontab -u ${GITLAB_USER} -l >/tmp/cron.${GITLAB_USER} 2>/dev/null || ! grep -q 'bundle exec rake gitlab:backup:create' /tmp/cron.${GITLAB_USER}; then
echo "Configuring gitlab::backups::schedule..."
read hour min <<< ${GITLAB_BACKUP_TIME//[:]/ }
day_of_month=*
month=*
day_of_week=*
case ${GITLAB_BACKUP_SCHEDULE} in
daily) ;;
weekly) day_of_week=0 ;;
monthly) day_of_month=01 ;;
esac
if [[ -n ${GITLAB_BACKUP_DIR_GROUP} ]]; then
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} DIRECTORY=${GITLAB_BACKUP_DIR_GROUP} RAILS_ENV=${RAILS_ENV}'" >> /tmp/cron.${GITLAB_USER}
else
echo "$min $hour $day_of_month $month $day_of_week /bin/bash -l -c 'cd ${GITLAB_INSTALL_DIR} && bundle exec rake gitlab:backup:create SKIP=${GITLAB_BACKUP_SKIP} RAILS_ENV=${RAILS_ENV}'" >> /tmp/cron.${GITLAB_USER}
fi
crontab -u ${GITLAB_USER} /tmp/cron.${GITLAB_USER}
fi
rm -rf /tmp/cron.${GITLAB_USER}
;;
esac
}
gitlab_configure_backups_aws() {
echo "Configuring gitlab::backups::aws..."
exec_as_git sed -i "/#start-gcs/,/#end-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-aws/d" ${GITLAB_CONFIG}
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
exec_as_git sed -i "/#start-multipart/,/#end-multipart/d" ${GITLAB_CONFIG}
fi
if [[ -z ${AWS_BACKUP_MULTIPART_CHUNK_SIZE} ]]; then
exec_as_git sed -i "/#start-multipart-aws/,/#end-multipart-aws/d" ${GITLAB_CONFIG}
fi
if [[ ${AWS_BACKUP_ENCRYPTION} != true ]]; then
exec_as_git sed -i "/#start-encryption-aws/,/#end-encryption-aws/d" ${GITLAB_CONFIG}
fi
if [[ -z ${AWS_BACKUP_REGION} && -z ${AWS_BACKUP_ENDPOINT} ]]; then
echo "\nMissing AWS region or endpoint. Aborting...\n"
return 1
fi
if [[ ! -z ${AWS_BACKUP_ENDPOINT} ]]; then
AWS_BACKUP_PATH_STYLE="true"
fi
if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then
echo "\nMissing AWS options. Aborting...\n"
return 1
fi
update_template ${GITLAB_CONFIG} \
AWS_BACKUP_REGION \
AWS_BACKUP_ENDPOINT \
AWS_BACKUP_PATH_STYLE \
AWS_BACKUP_ACCESS_KEY_ID \
AWS_BACKUP_SECRET_ACCESS_KEY \
AWS_BACKUP_BUCKET \
AWS_BACKUP_MULTIPART_CHUNK_SIZE \
AWS_BACKUP_STORAGE_CLASS \
AWS_BACKUP_SIGNATURE_VERSION
}
gitlab_configure_backup_gcs() {
echo "Configuring gitlab::backups::gcs..."
exec_as_git sed -i "/#start-aws/,/#end-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-gcs/d" ${GITLAB_CONFIG}
if [[ -z ${GCS_BACKUP_ACCESS_KEY_ID} || -z ${GCS_BACKUP_SECRET_ACCESS_KEY} || -z ${GCS_BACKUP_BUCKET} ]]; then
printf "\nMissing GCS options. Aborting...\n"
return 1
fi
update_template ${GITLAB_CONFIG} \
GCS_BACKUP_ACCESS_KEY_ID \
GCS_BACKUP_SECRET_ACCESS_KEY \
GCS_BACKUP_BUCKET
}
gitlab_configure_backups() {
echo "Configuring gitlab::backups..."
update_template ${GITLAB_CONFIG} \
GITLAB_BACKUP_DIR \
GITLAB_BACKUP_EXPIRY \
GITLAB_BACKUP_PG_SCHEMA \
GITLAB_BACKUP_ARCHIVE_PERMISSIONS
gitlab_configure_backups_schedule
if [[ ${AWS_BACKUPS} != true && ${GCS_BACKUPS} != true ]]; then
exec_as_git sed -i "/\s\+upload:/,/#end-gcs/d" ${GITLAB_CONFIG}
return 0
fi
if [[ ${AWS_BACKUPS} == true && ${GCS_BACKUPS} == true ]]; then
printf "\nAWS and GCE cannot be enabled together, please choose one...\n"
return 1
fi
if [[ ${AWS_BACKUPS} == true ]]; then
gitlab_configure_backups_aws
fi
if [[ ${GCS_BACKUPS} == true ]]; then
gitlab_configure_backup_gcs
fi
}
gitlab_configure_gravatar() {
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_ENABLED
if [[ -n ${GITLAB_GRAVATAR_HTTP_URL} ]]; then
echo "Configuring gitlab::gravatar::http..."
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTP_URL
else
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTP_URL}}/d" ${GITLAB_CONFIG}
fi
if [[ -n ${GITLAB_GRAVATAR_HTTPS_URL} ]]; then
echo "Configuring gitlab::gravatar::https..."
update_template ${GITLAB_CONFIG} GITLAB_GRAVATAR_HTTPS_URL
else
exec_as_git sed -i "/{{GITLAB_GRAVATAR_HTTPS_URL}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_cron_jobs() {
echo "Configuring gitlab::cron_jobs..."
if [[ -n "${GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}" ]]; then
update_template ${GITLAB_CONFIG} GITLAB_PIPELINE_SCHEDULE_WORKER_CRON
else
exec_as_git sed -i "/{{GITLAB_PIPELINE_SCHEDULE_WORKER_CRON}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics_google() {
if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then
echo "Configuring gitlab::analytics:google..."
update_template ${GITLAB_CONFIG} GOOGLE_ANALYTICS_ID
else
exec_as_git sed -i "/{{GOOGLE_ANALYTICS_ID}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics_piwik() {
if [[ -n ${PIWIK_URL} && -n ${PIWIK_SITE_ID} ]]; then
echo "Configuring gitlab::analytics:piwik..."
update_template ${GITLAB_CONFIG} \
PIWIK_URL \
PIWIK_SITE_ID
else
exec_as_git sed -i \
-e "/{{PIWIK_URL}}/d" \
-e "/{{PIWIK_SITE_ID}}/d" \
${GITLAB_CONFIG}
fi
}
gitlab_configure_analytics() {
gitlab_configure_analytics_google
gitlab_configure_analytics_piwik
}
gitlab_configure_rack_attack() {
echo "Configuring gitlab::rack_attack..."
update_template ${GITLAB_CONFIG} \
RACK_ATTACK_ENABLED \
RACK_ATTACK_WHITELIST \
RACK_ATTACK_MAXRETRY \
RACK_ATTACK_FINDTIME \
RACK_ATTACK_BANTIME
}
gitlab_configure_ci() {
echo "Configuring gitlab::ci..."
update_template ${GITLAB_CONFIG} \
GITLAB_NOTIFY_ON_BROKEN_BUILDS \
GITLAB_NOTIFY_PUSHER GITLAB_BUILDS_DIR
}
gitlab_configure_artifacts() {
if [[ ${GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::artifacts:object_store"
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google ARTIFACTS provider selected removing aws config"
exec_as_git sed -i "/#start-artifacts-aws/,/#end-artifacts-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-artifacts-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS ARTIFACTS provider selected removing Google config"
exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_OBJECT_STORE_ENABLED \
GITLAB_ARTIFACTS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_ARTIFACTS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::artifacts..."
update_template ${GITLAB_CONFIG} \
GITLAB_ARTIFACTS_ENABLED \
GITLAB_ARTIFACTS_DIR
}
gitlab_configure_lfs() {
if [[ ${GITLAB_LFS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::lfs:object_store"
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google LFS provider selected removing aws config"
exec_as_git sed -i "/#start-lfs-aws/,/#end-lfs-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-lfs-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-lfs-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS LFS provider selected removing Google config"
exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_OBJECT_STORE_ENABLED \
GITLAB_LFS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_LFS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_LFS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_LFS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::lfs..."
update_template ${GITLAB_CONFIG} \
GITLAB_LFS_ENABLED \
GITLAB_LFS_OBJECTS_DIR
}
gitlab_configure_uploads() {
if [[ ${GITLAB_UPLOADS_OBJECT_STORE_ENABLED} == true ]]; then
echo "Configuring gitlab::uploads:object_store"
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "Google" ]]; then
echo " -> Google UPLOADS provider selected removing aws config"
exec_as_git sed -i "/#start-uploads-aws/,/#end-uploads-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-uploads-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-uploads-gcs/d" ${GITLAB_CONFIG}
fi
if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}" == "AWS" ]]; then
echo " -> AWS UPLOADS provider selected removing Google config"
exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG}
exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG}
fi
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_OBJECT_STORE_ENABLED \
GITLAB_UPLOADS_OBJECT_STORE_REMOTE_DIRECTORY \
GITLAB_UPLOADS_OBJECT_STORE_DIRECT_UPLOAD \
GITLAB_UPLOADS_OBJECT_STORE_BACKGROUND_UPLOAD \
GITLAB_UPLOADS_OBJECT_STORE_PROXY_DOWNLOAD \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_PATH_STYLE \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_PROJECT \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \
GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION
else
exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG}
fi
echo "Configuring gitlab::uploads..."
update_template ${GITLAB_CONFIG} \
GITLAB_UPLOADS_STORAGE_PATH \
GITLAB_UPLOADS_BASE_DIR
}
gitlab_configure_mattermost() {
echo "Configuring gitlab::mattermost..."
update_template ${GITLAB_CONFIG} \
GITLAB_MATTERMOST_ENABLED \
GITLAB_MATTERMOST_URL
}
gitlab_configure_project_features() {
echo "Configuring gitlab::project_features..."
update_template ${GITLAB_CONFIG} \
GITLAB_PROJECTS_ISSUES \
GITLAB_PROJECTS_MERGE_REQUESTS \
GITLAB_PROJECTS_WIKI \
GITLAB_PROJECTS_SNIPPETS \
GITLAB_PROJECTS_BUILDS \
GITLAB_PROJECTS_CONTAINER_REGISTRY \
GITLAB_WEBHOOK_TIMEOUT
}
gitlab_configure_registry(){
echo "Configuring gitlab::registry..."
if [[ ${GITLAB_REGISTRY_PORT} == 443 ]]; then
# Sets GITLAB_REGISTRY_PORT empty for the scope of this function.
# This helps us to add an empty key to `.gitlab-ci.yml`.
# Because 443 is the default https port it doesn't need to be included in docker push/pull commands
# and shouldn't be displayed on the gitlab ui.
# Example: `docker pull registry:443/some/image` is the same as `docker pull registry/some/image`
local GITLAB_REGISTRY_PORT=""
fi
update_template ${GITLAB_CONFIG} \
GITLAB_REGISTRY_ENABLED \
GITLAB_REGISTRY_DIR \
GITLAB_REGISTRY_HOST \
GITLAB_REGISTRY_PORT \
GITLAB_REGISTRY_API_URL \
GITLAB_REGISTRY_KEY_PATH \
GITLAB_REGISTRY_ISSUER
}
gitlab_configure_pages(){
echo "Configuring gitlab::pages..."
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_ENABLED \
GITLAB_PAGES_DOMAIN \
GITLAB_PAGES_PORT \
GITLAB_PAGES_HTTPS \
GITLAB_PAGES_ARTIFACTS_SERVER \
GITLAB_PAGES_ACCESS_CONTROL
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_EXTERNAL_HTTP
else
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTP}}/d" ${GITLAB_CONFIG}
fi
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
update_template ${GITLAB_CONFIG} \
GITLAB_PAGES_EXTERNAL_HTTPS
else
exec_as_git sed -ie "/{{GITLAB_PAGES_EXTERNAL_HTTPS}}/d" ${GITLAB_CONFIG}
fi
}
gitlab_configure_sentry(){
echo "Configuring gitlab::sentry..."
update_template ${GITLAB_CONFIG} \
SENTRY_ENABLED \
SENTRY_DSN \
SENTRY_CLIENTSIDE_DSN \
SENTRY_ENVIRONMENT
}
nginx_configure_gitlab_ssl() {
if [[ ${GITLAB_HTTPS} == true && -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
echo "Configuring nginx::gitlab::ssl..."
if [[ ! -f ${SSL_CA_CERTIFICATES_PATH} ]]; then
sed -i "/{{SSL_CA_CERTIFICATES_PATH}}/d" ${GITLAB_NGINX_CONFIG}
fi
update_template ${GITLAB_NGINX_CONFIG} \
SSL_CERTIFICATE_PATH \
SSL_KEY_PATH \
SSL_DHPARAM_PATH \
SSL_VERIFY_CLIENT \
SSL_CA_CERTIFICATES_PATH \
SSL_CIPHERS
fi
}
nginx_configure_gitlab_hsts() {
if [[ ${GITLAB_HTTPS} == true ]]; then
echo "Configuring nginx::gitlab::hsts..."
if [[ ${NGINX_HSTS_ENABLED} != true ]]; then
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
fi
update_template ${GITLAB_NGINX_CONFIG} NGINX_HSTS_MAXAGE
else
sed -i "/{{NGINX_HSTS_MAXAGE}}/d" ${GITLAB_NGINX_CONFIG}
fi
}
nginx_configure_gitlab_ipv6() {
if [[ ! -f /proc/net/if_inet6 ]]; then
# disable ipv6 support in nginx for gitlab
sed -i \
-e "/listen \[::\]:80/d" \
-e "/listen \[::\]:443/d" \
${GITLAB_NGINX_CONFIG}
# disable ipv6 support in nginx for pages
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
sed -i \
-e "/listen \[::\]:80/d" \
-e "/listen \[::\]:443/d" \
${GITLAB_PAGES_NGINX_CONFIG}
fi
fi
fi
}
nginx_configure_gitlab_real_ip() {
if [[ ${NGINX_REAL_IP_RECURSIVE} == on && \
-n ${NGINX_REAL_IP_TRUSTED_ADDRESSES} ]]; then
echo "Configuring nginx::gitlab::real_ip..."
update_template ${GITLAB_NGINX_CONFIG} \
NGINX_REAL_IP_RECURSIVE \
NGINX_REAL_IP_TRUSTED_ADDRESSES
else
NGINX_REAL_IP_RECURSIVE="off"
update_template ${GITLAB_NGINX_CONFIG} \
NGINX_REAL_IP_RECURSIVE
sed -i "/{{NGINX_REAL_IP_TRUSTED_ADDRESSES}}/d" ${GITLAB_NGINX_CONFIG}
fi
}
nginx_configure_gitlab() {
echo "Configuring nginx::gitlab..."
update_template ${GITLAB_NGINX_CONFIG} \
GITLAB_INSTALL_DIR \
GITLAB_LOG_DIR \
GITLAB_HOST \
GITLAB_PORT \
NGINX_PROXY_BUFFERING \
NGINX_ACCEL_BUFFERING \
NGINX_X_FORWARDED_PROTO
nginx_configure_gitlab_ssl
nginx_configure_gitlab_hsts
nginx_configure_gitlab_ipv6
nginx_configure_gitlab_real_ip
}
nginx_configure_gitlab_ci() {
if [[ -n $GITLAB_CI_HOST ]]; then
echo "Configuring nginx::gitlab_ci..."
DNS_RESOLVERS=$(cat /etc/resolv.conf | grep '^\s*nameserver' | awk '{print $2}' ORS=' ')
update_template ${GITLAB_CI_NGINX_CONFIG} \
GITLAB_LOG_DIR \
GITLAB_HOST \
GITLAB_CI_HOST \
DNS_RESOLVERS
fi
}
nginx_configure_gitlab_registry() {
if [[ $GITLAB_REGISTRY_ENABLED == true && -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
echo "Configuring nginx::gitlab-registry..."
update_template ${GITLAB_REGISTRY_NGINX_CONFIG} \
GITLAB_LOG_DIR \
GITLAB_REGISTRY_PORT \
GITLAB_REGISTRY_HOST \
GITLAB_REGISTRY_API_URL \
SSL_REGISTRY_KEY_PATH \
SSL_REGISTRY_CERT_PATH
fi
}
nginx_configure_pages(){
local GITLAB_PAGES_DOMAIN=$(echo $GITLAB_PAGES_DOMAIN | sed 's/\./\\\\./g')
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
echo "Configuring nginx::gitlab-pages..."
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
if [[ ${GITLAB_PAGES_HTTPS} == true ]]; then
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
GITLAB_PORT \
GITLAB_PAGES_DOMAIN \
GITLAB_PAGES_PORT \
GITLAB_LOG_DIR \
GITLAB_PAGES_DOMAIN \
SSL_PAGES_CERT_PATH \
SSL_PAGES_KEY_PATH \
SSL_DHPARAM_PATH \
GITLAB_LOG_DIR
else
update_template ${GITLAB_PAGES_NGINX_CONFIG} \
GITLAB_PAGES_DOMAIN \
GITLAB_LOG_DIR
fi
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
fi
}
# _|_|_| _| _| _|
# _| _| _| _| _|_|_| _| _|_|_|
# _|_|_| _| _| _| _| _| _| _|
# _| _| _| _| _| _| _| _|
# _| _|_|_| _|_|_| _| _| _|_|_|
map_uidgid() {
USERMAP_ORIG_UID=$(id -u ${GITLAB_USER})
USERMAP_ORIG_GID=$(id -g ${GITLAB_USER})
USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then
echo "Mapping UID and GID for ${GITLAB_USER}:${GITLAB_USER} to $USERMAP_UID:$USERMAP_GID"
groupmod -o -g ${USERMAP_GID} ${GITLAB_USER}
sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
find ${GITLAB_HOME} -path ${GITLAB_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${GITLAB_USER}:
fi
}
update_ca_certificates() {
if [[ -f ${SSL_CERTIFICATE_PATH} || -f ${SSL_CA_CERTIFICATES_PATH} || -f ${SSL_REGISTRY_CERT_PATH} ]]; then
echo "Updating CA certificates..."
[[ -f ${SSL_CERTIFICATE_PATH} ]] && cp "${SSL_CERTIFICATE_PATH}" /usr/local/share/ca-certificates/gitlab.crt
[[ -f ${SSL_CA_CERTIFICATES_PATH} ]] && cp "${SSL_CA_CERTIFICATES_PATH}" /usr/local/share/ca-certificates/ca.crt
[[ -f ${SSL_REGISTRY_CERT_PATH} ]] && cp "${SSL_REGISTRY_CERT_PATH}" /usr/local/share/ca-certificates/registry-ca.crt
update-ca-certificates --fresh >/dev/null
fi
}
initialize_logdir() {
echo "Initializing logdir..."
mkdir -p ${GITLAB_LOG_DIR}/supervisor
chmod -R 0755 ${GITLAB_LOG_DIR}/supervisor
chown -R root: ${GITLAB_LOG_DIR}/supervisor
mkdir -p ${GITLAB_LOG_DIR}/nginx
chmod -R 0755 ${GITLAB_LOG_DIR}/nginx
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/nginx
mkdir -p ${GITLAB_LOG_DIR}/gitlab
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab
mkdir -p ${GITLAB_LOG_DIR}/gitlab-shell
chmod -R 0755 ${GITLAB_LOG_DIR}/gitlab-shell
chown -R ${GITLAB_USER}: ${GITLAB_LOG_DIR}/gitlab-shell
}
initialize_datadir() {
echo "Initializing datadir..."
chmod 755 ${GITLAB_DATA_DIR}
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}
# create the ssh directory for server keys
mkdir -p ${GITLAB_DATA_DIR}/ssh
chown -R root: ${GITLAB_DATA_DIR}/ssh
# create the repositories directory and make sure it has the right permissions
mkdir -p ${GITLAB_REPOS_DIR}
chown ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
chmod ug+rwX,o-rwx ${GITLAB_REPOS_DIR}
exec_as_git chmod g+s ${GITLAB_REPOS_DIR}
# create build traces directory
mkdir -p ${GITLAB_BUILDS_DIR}
chmod u+rwX ${GITLAB_BUILDS_DIR}
chown ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
# gitlab:backup:create does not respect the builds_path configuration, so we
# symlink ${GITLAB_INSTALL_DIR}/builds -> ${GITLAB_BUILDS_DIR}
rm -rf ${GITLAB_INSTALL_DIR}/builds
ln -sf ${GITLAB_BUILDS_DIR} ${GITLAB_INSTALL_DIR}/builds
# create downloads directory
mkdir -p ${GITLAB_DOWNLOADS_DIR}
chmod u+rwX ${GITLAB_DOWNLOADS_DIR}
chown ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
# create shared directory
mkdir -p ${GITLAB_SHARED_DIR}
chmod u+rwX ${GITLAB_SHARED_DIR}
chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
# create attifacts dir
mkdir -p ${GITLAB_ARTIFACTS_DIR}
chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
# create pages dir
mkdir -p ${GITLAB_PAGES_DIR}
chmod u+rwX ${GITLAB_PAGES_DIR}
chown ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
# symlink ${GITLAB_INSTALL_DIR}/shared -> ${GITLAB_DATA_DIR}/shared
rm -rf ${GITLAB_INSTALL_DIR}/shared
ln -sf ${GITLAB_SHARED_DIR} ${GITLAB_INSTALL_DIR}/shared
# create lfs-objects directory
mkdir -p ${GITLAB_LFS_OBJECTS_DIR}
chmod u+rwX ${GITLAB_LFS_OBJECTS_DIR}
chown ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
# create registry dir
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
mkdir -p ${GITLAB_REGISTRY_DIR}
chmod u+rwX ${GITLAB_REGISTRY_DIR}
chown ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
fi
# create the backups directory
mkdir -p ${GITLAB_BACKUP_DIR}
if [[ ${GITLAB_BACKUP_DIR_CHOWN} == true ]]; then
chown ${GITLAB_USER}: ${GITLAB_BACKUP_DIR}
fi
# create the uploads directory
mkdir -p ${GITLAB_DATA_DIR}/uploads
chmod 0700 ${GITLAB_DATA_DIR}/uploads
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads
# create the .ssh directory
mkdir -p ${GITLAB_DATA_DIR}/.ssh
touch ${GITLAB_DATA_DIR}/.ssh/authorized_keys
chmod 700 ${GITLAB_DATA_DIR}/.ssh
chmod 600 ${GITLAB_DATA_DIR}/.ssh/authorized_keys
chown -R ${GITLAB_USER}: ${GITLAB_DATA_DIR}/.ssh
# recompile and persist assets when relative_url is in use
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
mkdir -p ${GITLAB_TEMP_DIR}/cache
chmod 755 ${GITLAB_TEMP_DIR}/cache
chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/cache
mkdir -p ${GITLAB_TEMP_DIR}/assets
chmod 755 ${GITLAB_TEMP_DIR}/assets
chown ${GITLAB_USER}: ${GITLAB_TEMP_DIR}/assets
# symlink ${GITLAB_INSTALL_DIR}/tmp/cache -> ${GITLAB_TEMP_DIR}/cache
rm -rf ${GITLAB_INSTALL_DIR}/tmp/cache
exec_as_git ln -s ${GITLAB_TEMP_DIR}/cache ${GITLAB_INSTALL_DIR}/tmp/cache
# symlink ${GITLAB_INSTALL_DIR}/public/assets -> ${GITLAB_TEMP_DIR}/assets
rm -rf ${GITLAB_INSTALL_DIR}/public/assets
exec_as_git ln -s ${GITLAB_TEMP_DIR}/assets ${GITLAB_INSTALL_DIR}/public/assets
fi
}
sanitize_datadir() {
echo "Sanitizing datadir. Please be patient..."
chmod -R ug+rwX,o-rwx ${GITLAB_REPOS_DIR}/
chmod -R ug-s ${GITLAB_REPOS_DIR}/
find ${GITLAB_REPOS_DIR}/ -type d -print0 | xargs -0 chmod g+s
chown -R ${GITLAB_USER}: ${GITLAB_REPOS_DIR}
chmod -R u+rwX ${GITLAB_BUILDS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_BUILDS_DIR}
chmod -R u+rwX ${GITLAB_DOWNLOADS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_DOWNLOADS_DIR}
chmod -R u+rwX ${GITLAB_TEMP_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_TEMP_DIR}
chmod -R u+rwX ${GITLAB_SHARED_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_SHARED_DIR}
chmod -R u+rwX ${GITLAB_ARTIFACTS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
chmod -R u+rwX ${GITLAB_PAGES_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_PAGES_DIR}
chmod -R u+rwX ${GITLAB_LFS_OBJECTS_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_LFS_OBJECTS_DIR}
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
chmod -R u+rwX ${GITLAB_REGISTRY_DIR}
chown -R ${GITLAB_USER}: ${GITLAB_REGISTRY_DIR}
fi
find ${GITLAB_DATA_DIR}/uploads -type f -exec chmod 0644 {} \;
find ${GITLAB_DATA_DIR}/uploads -type d -not -path ${GITLAB_DATA_DIR}/uploads -exec chmod 0755 {} \;
chmod 0700 ${GITLAB_DATA_DIR}/uploads/
chown ${GITLAB_USER}: ${GITLAB_DATA_DIR}/uploads/
echo "Creating gitlab-shell hooks..."
exec_as_git ${GITLAB_SHELL_INSTALL_DIR}/bin/create-hooks
}
generate_ssh_key() {
echo -n "${1^^} "
ssh-keygen -qt ${1} -N '' -f ${2}
}
generate_ssh_host_keys() {
sed -i "s|#HostKey /etc/ssh/|HostKey ${GITLAB_DATA_DIR}/ssh/|g" /etc/ssh/sshd_config
if [[ ! -e ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key ]]; then
echo -n "Generating OpenSSH host keys... "
generate_ssh_key rsa ${GITLAB_DATA_DIR}/ssh/ssh_host_rsa_key
generate_ssh_key dsa ${GITLAB_DATA_DIR}/ssh/ssh_host_dsa_key
generate_ssh_key ecdsa ${GITLAB_DATA_DIR}/ssh/ssh_host_ecdsa_key
generate_ssh_key ed25519 ${GITLAB_DATA_DIR}/ssh/ssh_host_ed25519_key
echo
fi
# ensure existing host keys have the right permissions
chmod 0600 ${GITLAB_DATA_DIR}/ssh/*_key
chmod 0644 ${GITLAB_DATA_DIR}/ssh/*.pub
}
initialize_system() {
map_uidgid
initialize_logdir
initialize_datadir
update_ca_certificates
generate_ssh_host_keys
install_configuration_templates
rm -rf /var/run/supervisor.sock
}
install_configuration_templates() {
echo "Installing configuration templates..."
install_template ${GITLAB_USER}: gitlabhq/gitlab.yml ${GITLAB_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/database.yml ${GITLAB_DATABASE_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/unicorn.rb ${GITLAB_UNICORN_CONFIG} 0644
install_template ${GITLAB_USER}: gitlabhq/rack_attack.rb ${GITLAB_RACK_ATTACK_CONFIG} 0644
install_template ${GITLAB_USER}: gitlabhq/resque.yml ${GITLAB_RESQUE_CONFIG} 0640
install_template ${GITLAB_USER}: gitlabhq/secrets.yml ${GITLAB_SECRETS_CONFIG} 0600
install_template ${GITLAB_USER}: gitlab-shell/config.yml ${GITLAB_SHELL_CONFIG} 0640
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
install_template ${GITLAB_USER}: gitlabhq/relative_url.rb ${GITLAB_RELATIVE_URL_CONFIG} 0644
fi
if [[ ${SMTP_ENABLED} == true ]]; then
install_template ${GITLAB_USER}: gitlabhq/smtp_settings.rb ${GITLAB_SMTP_CONFIG}
fi
# custom user specified robots.txt
if [[ -f ${GITLAB_ROBOTS_PATH} ]]; then
exec_as_git cp ${GITLAB_ROBOTS_PATH} ${GITLAB_ROBOTS_CONFIG}
fi
## ${GITLAB_NGINX_CONFIG}
if [[ ${GITLAB_HTTPS} == true ]]; then
if [[ -f ${SSL_CERTIFICATE_PATH} && -f ${SSL_KEY_PATH} && -f ${SSL_DHPARAM_PATH} ]]; then
install_template root: nginx/gitlab-ssl ${GITLAB_NGINX_CONFIG}
else
echo "SSL Key, SSL Certificate and DHParam were not found."
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
fi
else
install_template root: nginx/gitlab ${GITLAB_NGINX_CONFIG}
fi
## ${GITLAB_PAGES_NGINX_CONFIG}
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
if [[ ${GITLAB_PAGES_HTTPS} == true && -f ${SSL_PAGES_CERT_PATH} && -f ${SSL_PAGES_KEY_PATH} ]]; then
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
install_template root: nginx/gitlab-pages-ssl ${GITLAB_PAGES_NGINX_CONFIG}
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
else
if [[ ${GITLAB_PAGES_NGINX_PROXY} == true ]]; then
echo "SSL Key, SSL Certificate were not found."
echo "Assuming that the container is running behind a HTTPS enabled load balancer."
install_template root: nginx/gitlab-pages ${GITLAB_PAGES_NGINX_CONFIG}
else
echo "Gitlab pages nginx proxy disabled"
echo "Assuming custom domain setup with own HTTP(S) load balancer'"
fi
fi
fi
if [[ -n $GITLAB_CI_HOST ]]; then
install_template root: nginx/gitlab_ci ${GITLAB_CI_NGINX_CONFIG}
fi
if [[ ${GITLAB_REGISTRY_ENABLED} == true ]]; then
if [[ -f ${SSL_REGISTRY_CERT_PATH} && -f ${SSL_REGISTRY_KEY_PATH} ]]; then
install_template root: nginx/gitlab-registry ${GITLAB_REGISTRY_NGINX_CONFIG}
else
echo "SSL key and certificates for Registry were not found"
echo "Assuming that the Registry is running behind a HTTPS enabled load balancer."
fi
fi
install_template ${GITLAB_USER}: gitaly/config.toml ${GITLAB_GITALY_CONFIG}
}
configure_gitlab() {
echo "Configuring gitlab..."
update_template ${GITLAB_CONFIG} \
GITLAB_INSTALL_DIR \
GITLAB_SHELL_INSTALL_DIR \
GITLAB_DATA_DIR \
GITLAB_REPOS_DIR \
GITLAB_DOWNLOADS_DIR \
GITLAB_SHARED_DIR \
GITLAB_HOST \
GITLAB_PORT \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_HTTPS \
GITLAB_SSH_HOST \
GITLAB_SSH_PORT \
GITLAB_SIGNUP_ENABLED \
GITLAB_IMPERSONATION_ENABLED \
GITLAB_PROJECTS_LIMIT \
GITLAB_USERNAME_CHANGE \
GITLAB_DEFAULT_THEME \
GITLAB_CREATE_GROUP
gitlab_configure_database
gitlab_configure_redis
gitlab_configure_secrets
gitlab_configure_sidekiq
gitlab_configure_gitaly
gitlab_configure_monitoring
gitlab_configure_gitlab_workhorse
gitlab_configure_relative_url
gitlab_configure_trusted_proxies
gitlab_configure_unicorn
gitlab_configure_timezone
gitlab_configure_rack_attack
gitlab_configure_ci
gitlab_configure_artifacts
gitlab_configure_lfs
gitlab_configure_uploads
gitlab_configure_mattermost
gitlab_configure_project_features
gitlab_configure_mail_delivery
gitlab_configure_mailroom
gitlab_configure_oauth
gitlab_configure_ldap
gitlab_configure_gravatar
gitlab_configure_cron_jobs
gitlab_configure_analytics
gitlab_configure_backups
gitlab_configure_registry
gitlab_configure_pages
gitlab_configure_sentry
# remove stale gitlab.socket
rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
}
configure_gitlab_shell() {
echo "Configuring gitlab-shell..."
update_template ${GITLAB_SHELL_CONFIG} \
GITLAB_RELATIVE_URL_ROOT \
GITLAB_HOME \
GITLAB_LOG_DIR \
GITLAB_SHELL_INSTALL_DIR \
SSL_SELF_SIGNED \
REDIS_HOST \
REDIS_PORT \
REDIS_DB_NUMBER
}
configure_gitlab_pages() {
if [[ ${GITLAB_PAGES_ENABLED} == true ]]; then
echo "Configuring gitlab-pages..."
cat > /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
[program:gitlab-pages]
priority=20
directory=${GITLAB_INSTALL_DIR}
environment=HOME=${GITLAB_HOME}
command=/usr/local/bin/gitlab-pages
-pages-domain ${GITLAB_PAGES_DOMAIN}
-pages-root ${GITLAB_PAGES_DIR}
-listen-proxy :8090
EOF
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTP} ]]; then
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-listen-http ${GITLAB_PAGES_EXTERNAL_HTTP}
EOF
fi
if [[ -n ${GITLAB_PAGES_EXTERNAL_HTTPS} ]]; then
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-listen-https ${GITLAB_PAGES_EXTERNAL_HTTPS}
-root-cert ${SSL_PAGES_CERT_PATH}
-root-key ${SSL_PAGES_KEY_PATH}
EOF
fi
if [[ ${GITLAB_PAGES_ACCESS_CONTROL} == true ]]; then
if [[ -z ${GITLAB_PAGES_ACCESS_SECRET} ]]; then
GITLAB_PAGES_ACCESS_SECRET=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40 ; echo '')
fi
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
-auth-server ${GITLAB_PAGES_ACCESS_CONTROL_SERVER}
-auth-secret ${GITLAB_PAGES_ACCESS_SECRET}
-auth-client-id ${GITLAB_PAGES_ACCESS_CLIENT_ID}
-auth-client-secret ${GITLAB_PAGES_ACCESS_CLIENT_SECRET}
-auth-redirect-uri ${GITLAB_PAGES_ACCESS_REDIRECT_URI}
EOF
fi
cat >> /etc/supervisor/conf.d/gitlab-pages.conf <<EOF
user=git
autostart=true
autorestart=true
stdout_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
stderr_logfile=${GITLAB_INSTALL_DIR}/log/%(program_name)s.log
EOF
fi
}
configure_nginx() {
echo "Configuring nginx..."
sed -i \
-e "s|worker_processes .*|worker_processes ${NGINX_WORKERS};|" \
-e "s|# server_names_hash_bucket_size 64;|server_names_hash_bucket_size ${NGINX_SERVER_NAMES_HASH_BUCKET_SIZE};|" \
/etc/nginx/nginx.conf
nginx_configure_gitlab
nginx_configure_gitlab_ci
nginx_configure_gitlab_registry
nginx_configure_pages
}
migrate_database() {
# run the `gitlab:setup` rake task if required
QUERY="SELECT count(*) FROM information_schema.tables WHERE table_schema = 'public';"
COUNT=$(PGPASSWORD="${DB_PASS}" psql -h ${DB_HOST} -p ${DB_PORT} -U ${DB_USER} -d ${DB_NAME} -Atw -c "${QUERY}")
if [[ -z ${COUNT} || ${COUNT} -eq 0 ]]; then
echo "Setting up GitLab for firstrun. Please be patient, this could take a while..."
exec_as_git force=yes bundle exec rake gitlab:setup \
${GITLAB_ROOT_PASSWORD:+GITLAB_ROOT_PASSWORD=$GITLAB_ROOT_PASSWORD} \
${GITLAB_ROOT_EMAIL:+GITLAB_ROOT_EMAIL=$GITLAB_ROOT_EMAIL} >/dev/null
fi
# migrate database if the gitlab version has changed.
CACHE_VERSION=
[[ -f ${GITLAB_TEMP_DIR}/VERSION ]] && CACHE_VERSION=$(cat ${GITLAB_TEMP_DIR}/VERSION)
if [[ ${GITLAB_VERSION} != ${CACHE_VERSION} ]]; then
## version check, only upgrades are allowed
if [[ -n ${CACHE_VERSION} && $(vercmp ${GITLAB_VERSION} ${CACHE_VERSION}) -lt 0 ]]; then
echo
echo "ERROR: "
echo " Cannot downgrade from GitLab version ${CACHE_VERSION} to ${GITLAB_VERSION}."
echo " Only upgrades are allowed. Please use sameersbn/gitlab:${CACHE_VERSION} or higher."
echo " Cannot continue. Aborting!"
echo
return 1
fi
if [[ $(vercmp ${GITLAB_VERSION} 8.0.0) -gt 0 ]]; then
if [[ -n ${CACHE_VERSION} && $(vercmp ${CACHE_VERSION} 8.0.0) -lt 0 ]]; then
echo
echo "ABORT: "
echo " Upgrading to GitLab ${GITLAB_VERSION} from ${CACHE_VERSION} is not recommended."
echo " Please upgrade to version 8.0.5-1 before upgrading to 8.1.0 or higher."
echo " Refer to https://git.io/vur4j for CI migration instructions."
echo " Aborting for your own safety!"
echo
return 1
fi
fi
echo "Migrating database..."
exec_as_git bundle exec rake db:migrate >/dev/null
echo "${GITLAB_VERSION}" > ${GITLAB_TEMP_DIR}/VERSION
rm -rf ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT # force cache cleanup
fi
# clear cache if relative_url has changed.
[[ -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT ]] && CACHE_GITLAB_RELATIVE_URL_ROOT=$(cat ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT)
if [[ ! -f ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT || ${GITLAB_RELATIVE_URL_ROOT} != ${CACHE_GITLAB_RELATIVE_URL_ROOT} ]]; then
# assets need to be recompiled when GITLAB_RELATIVE_URL_ROOT is used
if [[ -n ${GITLAB_RELATIVE_URL_ROOT} ]]; then
echo "Recompiling assets (relative_url in use), this could take a while..."
exec_as_git bundle exec rake gitlab:assets:compile NODE_OPTIONS="--max-old-space-size=4096" >/dev/null 2>&1
fi
echo "Clearing cache..."
exec_as_git bundle exec rake cache:clear >/dev/null 2>&1
echo "${GITLAB_RELATIVE_URL_ROOT}" > ${GITLAB_TEMP_DIR}/GITLAB_RELATIVE_URL_ROOT
fi
}
execute_raketask() {
if [[ -z ${1} ]]; then
echo "Please specify the rake task to execute. See https://github.com/gitlabhq/gitlabhq/tree/master/doc/raketasks"
return 1
fi
if [[ ${1} == gitlab:backup:create ]]; then
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
supervisorctl stop gitlab_extensions:*
supervisorctl stop gitlab:*
fi
if [[ ${1} == gitlab:backup:restore ]]; then
/usr/bin/supervisord -c /etc/supervisor/supervisord.conf
supervisorctl stop gitlab_extensions:*
supervisorctl stop gitlab:*
interactive=true
for arg in $@
do
if [[ $arg == BACKUP=* ]]; then
interactive=false
break
fi
done
# user needs to select the backup to restore
if [[ $interactive == true ]]; then
nBackups=$(ls ${GITLAB_BACKUP_DIR}/*_gitlab_backup.tar | wc -l)
if [[ $nBackups -eq 0 ]]; then
echo "No backup present. Cannot continue restore process.".
return 1
fi
echo
for b in $(ls ${GITLAB_BACKUP_DIR} | grep _gitlab_backup | sort -r)
do
echo "$b (created at $(date --date="@${b%%_*_gitlab_backup.tar}" +'%d %b, %G - %H:%M:%S %Z'))"
done
echo
read -p "Select a backup to restore: " file
if [[ -z ${file} ]]; then
echo "Backup not specified. Exiting..."
return 1
fi
if [[ ! -f ${GITLAB_BACKUP_DIR}/${file} ]]; then
echo "Specified backup does not exist. Aborting..."
return 1
fi
BACKUP=${file%%_gitlab_backup.tar}
fi
elif [[ ${1} == gitlab:import:repos ]]; then
# sanitize the datadir to avoid permission issues
sanitize_datadir
fi
echo "Running raketask ${1}..."
exec_as_git bundle exec rake $@ ${BACKUP:+BACKUP=$BACKUP}
}
Reference in New Issue View Git Blame Copy Permalink